It is a fact of life that the more you are exposed to something, the less likely you are to pay close attention to it in the future.
Particularly in an industry such as banking where we are constantly bombarded with industry “jargon” and detailed regulatory pronouncements, it can be far too easy to miss the big picture purpose.
And one area that I have seen many institutions overlook is enterprise risk management that is “appropriate for the size and complexity of the institution.”
Getting a handle on “ERM”
Enterprise risk management is a process of identifying and assessing risks to the organization as a whole, rather than simply identifying and assessing risk to a particular department or function of the bank.
For example, rather than identifying credit risk and assessing the potential impact of that risk on the loan portfolio, enterprise risk management identifies the risks in the loan portfolio and assesses them as a component of total risk facing the organization.
In other words, managing your enterprise risks means viewing compliance risk, strategic risk, operational risk, liquidity risk, credit risk, and interest rate risk as components of the whole, rather than in isolation.
Admittedly, managing enterprise risks may seem like a daunting task. This is where the phrase “appropriate for the size and complexity of the organization” comes into play. No one—not even your regulator—expects a $250 million community bank to have the same risk management policies and procedures as a $2 billion regional institution.
The reality is a $250 million bank that is trying to perform the enterprise risk management function of a $2 billion institution is grossly wasting the organization’s time and resources.
Sometimes going “above and beyond” is simply overreacting.
Don’t go the other way, either
But I have also seen institutions go in the other direction and grossly underreact.
Even though a $250 million institution does not need to have an enterprise risk management system equal to that of a regional bank, it should have something.
A simple “we do not think that it is going to be a problem” is not going to cut it.
Management does not need to provide the board a 50-page report on risk factors every month, but the upper levels of the organization’s hierarchy do need to have a firm understanding of how various, distinct risks impact the organization as a whole, which will require some form of analytics and reporting methodology.
Do not use size as a copout. I have seen small banks with incredibly sophisticated risk management processes. Simply because the organization is “small” from an assets perspective does not mean it does not face significant risks.
How to get it right
With that said, let me offer a few “tips” related to enterprise risk management.
First, “risk management” is an issue of bank culture.
The board and senior management can put into place the most sophisticated policies and procedures imaginable, and they will not do any good if the frontline staff does not understand what it means to “manage” and “assess” risk.
Bank culture and risk culture starts at the top. The goal is to work that culture down into every position at the bank.
Second, create risk “priorities.”
One of the reasons many community banks are easily intimidated by enterprise risk management: They view it as simply identifying every minute risk that could possibly impact the organization.
While partly true, the primary goal is to identify those risks that have the greatest impact on bank profitability. This is related to my point earlier about overacting. Enterprise risk management is a strategic endeavor. Every bank needs to identify those risks that pose the greatest threat to the organization’s long term prospects.
Certain risks, though quantifiable, have relatively no impact on the organization’s operations as a whole. You should still implement processes that help identify those risks, but the institution’s resources should be targeted primarily at risks that could have a significant impact.
Third, utilize tables, graphs, and summaries in your reporting.
This may seem like nit-picking, but putting average ATM fraud occurrences in a spreadsheet and printing it for the next meeting is not managing enterprise risk.
Front line data, when viewed in isolation, has little impact on assessing overall risk. That is not to say such data is not important. However, it must be a piece of an organized whole. Provide a summary of major risk areas, and let the line item data support the big picture.
The bottom line is, as a community bank, you have to have risk management systems that are appropriate for your size and organizational structure.
The “shotgun” approach will not work, and neither will kicking the can down the road for another few years. As community bankers, we must take the time to understand our institution and assess how certain risks impact the entire structure.